5 files changed, 39 insertions, 25 deletions

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index ea7ddc915..43e16b050 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -182,7 +182,7 @@
             android:targetActivity="com.android.providers.media.photopicker.PhotoPickerActivity"
             android:exported="true"
             android:excludeFromRecents="true"
-            android:enabled="false">
+            android:enabled="true">
             <intent-filter android:priority="101" >
                 <action android:name="android.intent.action.GET_CONTENT" />
                 <category android:name="android.intent.category.OPENABLE" />
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 6d5973591..08df77c08 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -65,7 +65,12 @@
             "name": "fuse_node_test"
         },
         {
-            "name": "CtsPhotoPickerTest"
+            "name": "CtsPhotoPickerTest",
+            "options": [
+                {
+                    "exclude-annotation": "androidx.test.filters.LargeTest"
+                }
+            ]
         }
     ],
     "postsubmit": [
@@ -83,6 +88,9 @@
                     "include-filter": "android.appsecurity.cts.ExternalStorageHostTest"
                 }
             ]
+        },
+        {
+            "name": "CtsPhotoPickerTest"
         }
     ]
 }
diff --git a/apex/apex_manifest.json b/apex/apex_manifest.json
index fe2ed118c..f24f2d204 100644
--- a/apex/apex_manifest.json
+++ b/apex/apex_manifest.json
@@ -1,4 +1,4 @@
 {
   "name": "com.android.mediaprovider",
-  "version": 339990000
+  "version": 990090000
 }
diff --git a/jni/FuseDaemon.cpp b/jni/FuseDaemon.cpp
index b2b8ab32c..fbd645a6a 100644
--- a/jni/FuseDaemon.cpp
+++ b/jni/FuseDaemon.cpp
@@ -711,7 +711,7 @@ static void pf_init(void* userdata, struct fuse_conn_info* conn) {
 
     // We don't want a getattr request with every read request
     conn->want &= ~FUSE_CAP_AUTO_INVAL_DATA & ~FUSE_CAP_READDIRPLUS_AUTO;
-    unsigned mask = (FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE | FUSE_CAP_SPLICE_READ |
+    uint64_t mask = (FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE | FUSE_CAP_SPLICE_READ |
                      FUSE_CAP_ASYNC_READ | FUSE_CAP_ATOMIC_O_TRUNC | FUSE_CAP_WRITEBACK_CACHE |
                      FUSE_CAP_EXPORT_SUPPORT | FUSE_CAP_FLOCK_LOCKS);
 
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 62f0a5ae5..d8aefcf2a 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -3947,8 +3947,8 @@ public class MediaProvider extends ContentProvider {
                 // gallery is not allowed to create non-default top level directory.
                 final boolean createNonDefaultTopLevelDir = primary != null &&
                         !FileUtils.buildPath(volumePath, primary).exists();
-                validPath = !createNonDefaultTopLevelDir && canAccessMediaFile(
-                        res.getAbsolutePath(), /*excludeNonSystemGallery*/ true);
+                validPath = !createNonDefaultTopLevelDir && canSystemGalleryAccessTheFile(
+                        res.getAbsolutePath());
             }
 
             // Nothing left to check; caller can't use this path
@@ -4760,9 +4760,15 @@ public class MediaProvider extends ContentProvider {
                 } else if (isCallingPackageManager()) {
                     // Apps with MANAGE_EXTERNAL_STORAGE have all files access, hence they are
                     // allowed to insert files anywhere.
+                } else if (getCallingPackageTargetSdkVersion() >=
+                        Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+                    // Throwing an exception so that it doesn't result in some unexpected
+                    // behavior for apps and make them aware of what is happening.
+                    throw new IllegalArgumentException("Mutation of " + column
+                        + " is not allowed.");
                 } else {
                     Log.w(TAG, "Ignoring mutation of  " + column + " from "
-                            + getCallingPackageOrSelf());
+                        + getCallingPackageOrSelf());
                     initialValues.remove(column);
                 }
             }
@@ -7373,9 +7379,8 @@ public class MediaProvider extends ContentProvider {
         }
 
         // 2. Check if the calling package is a special app which has global access
-        if (isCallingPackageManager() ||
-                (canAccessMediaFile(srcPath, /* excludeNonSystemGallery */ true) &&
-                        (canAccessMediaFile(destPath, /* excludeNonSystemGallery */ true)))) {
+        if (isCallingPackageManager() || (canSystemGalleryAccessTheFile(srcPath) &&
+            (canSystemGalleryAccessTheFile(destPath)))) {
             return true;
         }
 
@@ -8446,9 +8451,6 @@ public class MediaProvider extends ContentProvider {
                 // We bypass db operations for legacy system galleries with W_E_S (see b/167307393).
                 // Tracking a longer term solution in b/168784136.
                 return true;
-            } else if (isCallingPackageRequestingLegacy()) {
-                // If requesting legacy, app should have W_E_S along with SystemGallery appops.
-                return false;
             } else if (!SdkLevel.isAtLeastS()) {
                 // We don't parse manifest flags for SdkLevel<=R yet. Hence, we don't bypass
                 // database updates for SystemGallery targeting R or above on R OS.
@@ -8465,18 +8467,16 @@ public class MediaProvider extends ContentProvider {
         return MimeUtils.resolveMediaType(mimeType);
     }
 
-    private boolean canAccessMediaFile(String filePath, boolean excludeNonSystemGallery) {
-        if (excludeNonSystemGallery && !isCallingPackageSystemGallery()) {
+    private boolean canSystemGalleryAccessTheFile(String filePath) {
+
+        if (!isCallingPackageSystemGallery()) {
             return false;
         }
-        switch (getFileMediaType(filePath)) {
-            case FileColumns.MEDIA_TYPE_IMAGE:
-                return mCallingIdentity.get().hasPermission(PERMISSION_WRITE_IMAGES);
-            case FileColumns.MEDIA_TYPE_VIDEO:
-                return mCallingIdentity.get().hasPermission(PERMISSION_WRITE_VIDEO);
-            default:
-                return false;
-        }
+
+        final int mediaType = getFileMediaType(filePath);
+
+        return mediaType ==  FileColumns.MEDIA_TYPE_IMAGE ||
+            mediaType ==  FileColumns.MEDIA_TYPE_VIDEO;
     }
 
     /**
@@ -8508,7 +8508,7 @@ public class MediaProvider extends ContentProvider {
 
         // Apps with write access to images and/or videos can bypass our restrictions if all of the
         // the files they're accessing are of the compatible media type.
-        if (canAccessMediaFile(filePath, /*excludeNonSystemGallery*/ false)) {
+        if (canSystemGalleryAccessTheFile(filePath)) {
             return true;
         }
 
@@ -10584,7 +10584,13 @@ public class MediaProvider extends ContentProvider {
     }
 
     private boolean isCallingPackageSystemGallery() {
-        return mCallingIdentity.get().hasPermission(PERMISSION_IS_SYSTEM_GALLERY);
+        if (mCallingIdentity.get().hasPermission(PERMISSION_IS_SYSTEM_GALLERY)) {
+            if (isCallingPackageRequestingLegacy()) {
+                return isCallingPackageLegacyWrite();
+            }
+            return true;
+        }
+        return false;
     }
 
     private int getCallingUidOrSelf() {